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We present a general scheme for sharing quantum secrets, and an extension to sharing classical secrets, which 
contain all known quantum secret sharing schemes. In this framework we show the equivalence of existence of 
both schemes, that is, the existence of a scheme sharing a quantum secret implies the extended classical secret 
sharing scheme works, and vice versa. As a consequence of this we find new schemes sharing classical secrets 
for arbitrary access structures. We then clarify the relationship to quantum error correction and observe several 
restrictions thereby imposed, which for example indicates that for pure state threshold schemes the share size q 
must scale with the number of players n as q > ^Jn. 
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Secret sharing is an important primitive in information net- 
works, for example in online auctions, electronic voting, se- 
cure multiparty function evaluation, first introduced in the 
classical setting in |Q]]. The problem setting is that a dealer 
d wishes to distribute a secret (we will consider both classi- 
cal and quantum secrets) to a set of n players, such that only 
certain sets of players can access the secret (we call these the 
authorized players), and certain sets of players cannot access 
the secret (we call these the unauthorized sets of players). The 
assignment of authorized and unauthorized sets is called the 
access structure. Any such scheme can be loosely described 
as a 'ramp' scheme, described by three parameters, (k, k', n), 
where any set of players B such that \B\ > k can access the 
secret, whereas any set such that \B\ < k' cannot get any in- 
formation at all. Clearly this description does not cover the 
full access structure in between k and k'. When k' = k — 1, it 
does however, and this is called a 'threshold' scheme, denoted 
(k, n). Often it suffices to consider threshold schemes since 
all access structures can be built from them. 

We consider two quantum extensions of the secret sharing 
problem, first put forward in ijUlHl, which have found applica- 
tion, for example in secure multiparty quantum computation 
0]. The first is the sharing of a quantum secret H, that is 
the dealer wishes to distribute a quantum state such that only 
authorized players can access it, and unauthorized cannot. We 
refer to this protocol family as QQ (following the notation of 
llolo . It was shown in lU that in principle all access struc- 
tures not contradicting no-cloning can be achieved. The sec- 
ond quantum version we consider is the sharing of a classical 
secret using quantum channels, introduced in yj. It is known 
that there exist informationally theoretically secure schemes 
to share a classical secret |jj], however, these schemes require 
a secure channel between the dealer and each player. One way 
of resolving this issue would be to use n quantum key distri- 
bution (QKD) channels from the dealer, one to each player, 
and then use the Shamir scheme. Another way, presented in 
y]] combines the idea of QKD with secret sharing directly, this 
can be more efficient than the direct use of QKD. By choos- 
ing a suitable entangled state shared between the dealer and 
the players, the dealer is able to share a secret key with the 



players such that only authorized players can access the key. 
We refer to this family of protocols as CQ (again following 
the notation of fioll ). The only known existing CQ schemes 
are threshold with parameters (n, n)y]], (2, 3) 1 1 ill and (3, 5) 

In lloll a link was presented between QQ and CQ protocols 
where it was shown that in some instances the same frame- 
work could be used for both using graph states (first for qubits, 
then for qudits in HHo . The usefulness of this connection 
is many fold. On a practical level sharing the same frame- 
work is advantageous since any implementation for one can be 
adapted to perform the other. On the theoretical level the ad- 
vantages are very rich. On the one hand it allows new COpro- 
tocols to be found via translation from QQ, as in id, EI. In 
the other direction, techniques for constructing CQ schemes 
(which can often on the face of it appear much simpler) can 
be used to construct QQ schemes. Furthermore there is a deep 
relationship between QQ and quantum error correction. This 
opens up the door to the possibility of using powerful tools 
from error correction theory to investigate secert sharing , and 
new techniques from secret sharing to find new error correct- 
ing schemes. Graph state methods for finding CQ schemes 
have recently yielded many results in this direction ll25l l27ll . 
The general relationship between QQ and CQ secret sharing 
is to date unclear however, and we can only expect more use- 
fulness to be gained. 

We present the most general QQ secret sharing scheme for 
sharing a quantum secret and its extension to a CQ scheme, 
which formally encompass all quantum existing secret sharing 
schemes. We show that the existence of such a QQ implies the 
extension to CQ case has the same access structure and secu- 
rity is maintained, and similarly, if there exists a CQ scheme of 
this type, the quantum version also is a valid QQ secret shar- 
ing scheme. This allows us to use the QQ schemes from 
for the extended CQ scheme, allowing all access structures for 
the first time. We then draw an equivalence between QQ and 
quantum error correction, showing that all ramp schemes are 
error correcting schemes and vice versa. Several restrictions 
are thus imposed, notably, that for pure state QQ threshold 
schemes, the size of the share must scale with the size of the 
network (something which is also true in the fully classical 
setting). 
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The most general QQ quantum secret sharing protocol can 
be understood as a map from a quantum secret state |£) = 
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Y*<Xi\i) t0 a multipartite state |Ci)i... n = 52i a i\ i L)i...n 
shared between the players l...n, encoded onto some logical 
basis {|ii}i...„}, which is designed such that authorized sets 
of players can access the secret and unauthorized sets of play- 
ers cannot. Without loss of generality we take to be 
an orthonormal basis. An encoding onto a non-orthogonal ba- 
sis can be understood as some preprocessing taking the state 
input |C) to a state corresponding to the non-orthogonal 
encoding, and then following the map above. A mixed state 
encoding can always be purified into a map as above, followed 
by tracing out of some systems (in which case the number of 
active players would be less than n). In this way this repre- 
sents the most general scheme. 

For any such scheme, we extend to sharing classical secrets 
by introducing what we call a channel state between system d 
held by the dealer and the players' systems l...n, 

1 9-1 

\CS) dA ... n :=— 5^|i)d|i L )i...n. (1) 

This is a maximally entangled state between d and the play- 
ers, and can be understood as a channel from the dealer to the 
players. In the case of QQ this channel is used to teleport the 
secret from the dealer's qubit to the players (that is, it acts 
simply as an encoding process for the most general scheme). 
In the case of CQ this channel is used to establish a secure 
random key between the dealer and the players (as per the Ek- 
ert protocol |8|]). In both cases it is the choice of the logical 
basis {|iL)i...n} gives rise to the access structure. This exten- 
sion covers all known CQ schemes 10, [13 Ell ( U P to possible 
reordering of public communication steps, e.g. [? ]). 

For the CQ extension it will be useful to define general- 
ized Pauli operators, X\i) = \i + 1), Z\i) = oj l \i), where 
u> = e l27T / q , where q is the dimension of the secret. For sim- 
plicity we consider prime dimension q. We further denote 
\i(t)) as the eigenstates of X l Z. The channel state can then 
be expanded as 

1 9-1 

\CS) dA ... n = —J2\i(t))d\i(t) L )i...n, 

where the bases are also orthonormal and comple- 

mentary, that is \(i{t)L\j(t') L )\ 2 = 1/gwheni =£t'. 

We will first describe the protocols, then make precise what 
we mean exactly by authorised and unauthorised sets for both 
QQ and CQ, and security for the CQ protocol. 

QQ Protocol: Let \() d , = X)?"* a t \i) d , e C be the secret 
state in possession of the dealer. 

1 . The dealer prepares a channel state (Q]), then does an ex- 
tended Bell measurement over d and d' and appropriate 
corrections, leaving the state of the n qudits as 

9-1 

/J i...n- (2) 

4=0 



2. The dealer sends qudit £ of the resultant state to player 

L 

3. Players in authorized set B follow a prescribed decod- 
ing operation Tb (involving syndrome measurements 
and correction). 

The protocol is then defined by encoding basis {|iz,)i... ra }, and 
decoding operations Tb for each authorized set B. At the end 
the authorized set B have the quantum secret. 

CQ Protocol: The CQ protocol does not directly distribute 
a secret classical message from the dealer to the players, rather 
it is a protocol to establish a secure key between the dealer 
and the players, such that only authorized sets of players can 
access the key. In this sense it may be considered more accu- 
rately as secret key sharing. This key can then be used by the 
dealer to share a secret message such that it can only be read 
by authorized sets of players. The CQ protocol is an extension 
of those presented in iB llOlfTTIl . to the more general case not 
using graph states. We now outline the protocol. 

1. The dealer prepares a channel state (fl]) and sends qudit 
£ to player I. 

2. The dealer randomly measures his qudit d among the 
bases: {X f Z} q t ~Q . We denote the result r(t). The state 
of the players is then projected to 

|r(i) L )i...n. (3) 

3. An authorised set B randomly measures in one of the 
prescribed measurements {Mg}'Z , with result de- 
noted s(t'). 

4. Repeat step 1. 2. 3. m — > oo times. The list of mea- 
surement results r(t) and s(t') are the raw keys of the 
dealer and players B respectively. 

5. SECURITY TEST: Follow standard QKD security steps. 
Through public discussion first sift the key such that 
the only remaining results are such that t = t' . Second, 
verify for a random subset that s(t) — r(t). If this is 
not the case, abort, if it is, keep the remaining results as 
the shared random key. 

At the end, if the protocol is not aborted, the dealer and 
the authorised set share a secure key which can be used to 
distribute a classical secret securely. 



We now define what it means to say sets of players are au- 
thorised or unauthorised for both CQ and QQ protocols. For 
later proofs comparing the two protocols it will be useful to 
also talk about equivalent information theoretic conditions. 
For this we define the channel A from system d' to subset 
of players B as the encoding procedure in QQ giving state © 
followed by tracing out all but the players B. 

We first look at the QQ case. 
QQ Authorised sets We say a set of players B is authorised 
if they can perfectly access the quantum secret, that is, if there 
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exists a decoding procedure T b acting only on those players, 
which can perfectly recover the secret input state \(). 

If the quantum information is accessible through the 
channel A, then the quantum mutual information be- 
tween two halves of a maximally mixed state after 
one half has been sent down the channel is maxi- 
mal 1 1 211 - That is to say I(r;A) = 21og 2 q, where 
7(r;A) = S(r) + 5(A(r)) - S((id ® A)(|$„><*,|)), 
t = ^2~2i=o i s a maximally mixed state, 

l^g) = q J2i=o I") * s a maximally entangled state and 
S is the Von Neuman entropy (S(p) = —tr(p log(p))). 

QQ Unauthorised sets We say a set of players B is 
unauthorised if it has no access to the quantum secret what- 
soever, that is, the reduced density matrix ps is independent 
of the quantum input Information theoretically, if the 
quantum information is completely denied through the 
channel A, (the output of the channel can only guess the 
secret with equal probability), then I(t; A) = 0. 

We now look at the CQ protocol. 
CQ Authorised sets We say a set of players B is authorised if 
it can access the secret, that is, if there exists a (possibly joint) 
measurement on their systems which allows them to discover 
the dealers measurement result r(i) for each setting t. 

To rewrite this in information theoretic language, it suffices 
to consider the channel from the dealer to the players B, where 
for each t, the dealer sends a specific chosen state \r(t) l)i...u 
to the players encoding the classical information r(t), chosen 
according to a uniform distribution. The ability, or not, of a set 
of players to access this classical information is equivalent to 
them being able to discover the dealer's measurement result in 
the CQ protocol. In terms of the action of the channel A above, 

this corresponds to a set of inputs {J7*|«}}f=0' where Uis the 
fourier transform of rank q, t € [q\. That is, each \r(t)i,)i... n , 
corresponds to an input state {7*|r)d'. Thus to verify that this 
channel works perfectly for each such message, we are inter- 
ested in the classical information that can be transmitted for 
a random distribution over the alphabet for a given t, which 
we denote £ t = ^*K)}f=o ■ We use Holevo information 
for characterizing the amount of classical information trans- 
mittable through a quantum channel A, defined by : 

x (A(£: f )) = 5(i^A([/ f | l )( l !t/ it ))-i^5(A(t/ t |i)< l |C/ tt )). 

i i 

If the classical information is accessible through the 
quantum channel A perfectly, then the Holevo information 

CQ Unauthorised sets We say a set of players B is 
unauthorised if the dealer's result r(t) is completely denied 
to them, that is, if the reduced state ps of those systems has 
no dependence on r(t). In information theoretic terms, for 
the channel A and the set of inputs above, this is equal to 
saying that x(A(£ t )) = 0. 

CQ Security For CQ protocols there is the additional 
condition of security. As in all previous CQ work iB flolfTTll . 



our protocols as they stand do not guarantee complete security 
against arbitrary attacks, but rather, against only intercept 
resend, and are not tolerant to noise. We should mention that 
it is expected that security proofs existing for standard QKD 
may be extended to these protocols also. Security against 
intercept resend attacks is guaranteed if any purification 
H')d.B,E compatible with the results of the security test 
has the property that the reduced density matrix pdE is not 
correlated across d and E, 

PdE=Pd®PE- (4) 

This ensures that the dealer's results are independent of any 
measurements any eavesdropper E might make. 

We now explore the relationship between the existence of 
protocols for CQ and QQ as described above. We will show 
the fact that for given logical encoding basis {|«z,)}, the exis- 
tence of a QQ protocol and CQ protocol are related. 

For the QQ and CQ schemes defined as above from a chan- 
nel state \CS), with logical basis the following rela- 
tionships hold: 

Proposition 1. 

/. A QQ authorised set, is a CQ authorised set. 

2. A QQ unauthorised set is a CQ unauthorised set. 

3. A CQ authorised set is a QQ authorised set. 

Proof: 1 and 2 are clear since the access of the classical 
information is a special case of the quantum information. We 
directly deduce 3 from the lemma 1 of lfl3tl . This lemma says 
that 

x(A(£b)) + x(A(£i))<J(r:A) (5) 

where £o = { i H)}» £i = { j U\i)}, with U a fourier trans- 
form of dimension q, A a CPTP map, \ the Holevo informa- 
tion. 

If a set B can access in the CQ protocol, after going through 
the associated quantum channel A, the classical information 
is accessible in at least two mutual unbiased bases {\i)} and 
{U\i}}, this means that x(A(£ )) = x(A(£i)) = log(g), 
hence 7(r : A) > 2 \og(q) Moreover from its definition we 
have I(t : A) < 21og(g). Hence I(t : A) = 21og(g), which 
means that the information is quantumly accessible. □ 

We note that it is not true that a CQ unauthorised set is 
automatically QQ unauthorised. However, as we will see ad- 
ditional mixing can address this and further, for pure state QQ 
the unauthorised sets exactly determined by the authorised 
sets, so that the connection between QQ and CQ is exact. 

In addition, we will now show that a valid access struc- 
ture for a CQ protocol implies a secure key distribution, in the 
sense where if the Protocol go through the Security test (Step 
6), then we show that for any state ps outside the encoded 
state (which could be an eavesdropper as the environment), 
we have pdE = I /q® Pe where pd is the dealer's state, and 
so, pe is independent of the dealer's measurement. 

Proposition 2. A CQ authorised set is a CQ secure set. 
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Proof: See appendix. 

From these results we can immediately see that the schemes 
presented in allowing for all QQ access structures can be 
used to give new CQ protocols allowing for all access struc- 
tures. Furthermore this can be done using high dimensional 
graph states l30ll . 

We now clarify the relationship between QQ and quantum 
error correcting codes (QECC). A QECC encodes a space of 
dimension k onto n systems (or shares), such that errors on 
some subsets of systems can be tolerated. For a distance d, 
and shares of dimension q we denote a QECC as ((n, K, d)) q , 
which means that the code can tolerate the loss of d — 1 shares 
(systems). Clearly one can use such an encoding as a QQ, and 
in the language of ramp schemes, if each share is a player, this 
means that k = n — d + 1. Which players are unauthorised is 
apriori not given for a code and must be checked. Similarly it 
is clear that any QQscheme is a QECC with d = n — k + 1. 

It was noticed in y|] that for the case of error correcting pro - 
tocols encoding onto pure states, the situation becomes much 
simpler. It turns out that in this case it can be seen that the 
tolerance of a code to the loss of a set of shares B is exactly 
equivalent to the same set B not getting any information what- 
soever about the encoded information. When used for QQ this 
means its ramp scheme parameter is k' < n — k. But by no 
cloning k' > n — k. Thus for all QQ with pure state encodings 
k' = n — k. This extends the restriction of k = (n + l)/2 for 
threshold schemes noticed in ft^. 

Furthermore, it gives a general relationship: a pure state 
QECC protocol ((n, k, d)) q is equivalent to a QQ ramp 
scheme where all shares are considered as players with pa- 
rameters (k, k' — n — k, n). That is all such QECC are QQ 
ramp schemes with those parameters, and vice versa. 

We can then ask what else is imposed by the relationship 
with error correction. One important question is that of share 
size. It can easily be seen that the Singleton bound implies 
that for threshold schemes with pure state encoding n < q. 
Hence for k = q (as is the case for many codes, including 
all stabiliser codes) all pure state threshold schemes must be 
MDS codes. This implies something that has been shown for 
small 77 cases in 11011 . which is that, for all pure state threshold 
QQ secret sharing schemes encoding a secret equal to the size 
of each share, the dimension of each share must scale with n, 

• >^?. 

This bound follows from the fact that the code saturates the 
Singleton bound, as shown in ifTill . Indeed the MDS con- 
jecture for such codes states that it would scale as badly as 
q > \/n — l. 

We note that the above results need only hold for pure state 
error correcting schemes. Mixed state schemes can of course 
exist, which do not need to satisfy these properties. Indeed, as 



pointed out in 0], it is possible to go from (n, k = n + 1/2) 
to (n — I, k) threshold schemes by throwing away I systems. 
Clearly these mixed schemes to not satisfy k' = n — k. 
Such schemes were used in to show that all QQ thresh- 
old schemes can be achieved using quantum Reed Solomon 
codes. It is these schemes which when translated to CQ 
schemes (through our general relationship above) show all 
threshold schemes are possible for CQ also. Note that this 
approach of discarding shares clearly holds in the CQ exten- 
sions presented in this work, hence a QQ (k, k' , n) mixed state 
scheme implies a CQ (k, k', n) mixed state scheme. Another 
set of schemes which have been developed recently which 
do not satisfy © SHI- 

The idea of these schemes is to 
take pure state error correcting schemes, which are necessarily 
(k, k! = n—k, n) ramp schemes, thus guaranteed quantum ac- 
cess to at least k, and add classical mixing on top to increase k' 
arbitrarily (where classical information is distributed via clas- 
sical secret sharing protocols over secure channels). Since the 
original quantum codes are no longer threshold schemes, they 
do not have to saturate the Singleton bound, and hence do not 
have to satisfy ©. However, even in this case it seems there 
are some restrictions on share size 111 71 . Note also that both 
theses sets of schemes can be purified, and their purifications 
clearly fall into our generalized schemes and must satisfy the 
above still. Although such purifications are impractical, these 
schemes still fit into our framework, and this fact may well 
impose restrictions on the mixed protocols also. 

On the one hand, these results mean that all quantum error 
correction can then be used for both CQ and QQ secret shar- 
ing. In the other direction, these results give a new method for 
searching for new error correcting schemes starting from CQ 
schemes. In particular for graph state schemes, many tools 
have recently been developed to phrase the conditions for CQ 
secret sharing in soley graphical language, which have been 
used to search for new CQ schemes ||241 - |26[ l30ll which are 
therefore valid QQ and QECC schemes. Through the general 
connection shown in this work, such techniques can also be 
used to search for new quantum error correcting codes, in par- 
ticular for higher dimensional codes which are seen to be nec- 
essary for the most efficient codes and general access struc- 
tures. 
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Appendix A: Proof of Proposition 2 

For any measurements M B , one can always define a unitary over a purification of the measurement V B , (where B' represents 
the total purification space with possibly additional ancillas) , such that the outcome of a results matching the measurement 
X t Zd as per the security test, imply for any purification of the total state to include a possible eavesdropper E, that 

X^Z d <g> V B , ® I E W)dB'E = \<P)dB'E (Al) 

In particular this is true for t = and t = 1, so that [Z d ® V°b> <8> lE)\f)dB'E = \<p)dB'E and (XdZd ® V 1 b> <£> I E )\v)dB' e = 
\<p)dB'E- We deduce then that for all m,n <G {0, ..,q — 1} there exists a unitary operator M m>ng , such that 
(X^ZX ® M m ^ B , ® I E )\p)dB>E = \<p)dB>E- 



PdE = Tr B >(\<p)dB'E(<p\) 

= Tr B'(/Z \( X dZT ® M m , nB , ® I E )\<p)iB>E('p\(X2Z?®M m , nB , <8 

m,n 

= £ ±(X2Z? ® lE)Tr B >(\<p)dB>E{<p\)(X2Z? ® I E ) 1 

= (£ d ® I E )(PdE) 

= (£ d ® lE)(^2pi 3 ki\i) d\j) E{k\d{l\E) 

ijkl 

= ^2pijki£d(\i)d(k\d) ® \j)e(1\e, 

ijkl 

where we define £(N) := Em,» x * z * N< ga z * rl . So £{I) = I and Vi,j £(Z i X j ) = 0, so for all matrix 
M in the operator space, M = Yl,Yj=o a i.jZ t X^ , we have £(M) = TliMll m Hence £ d (\i)d{k\d) = <5ife| and 
PdE = EywPyW^ftf ® \])e{1\e = f Y,ji{YX:lPw)\j)E{l\E = f ® Pe- □ 
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From this it follows that any set authorized in two mutual unbiased bases can share a secret key with the dealer. Thus, with 
an (n, k, k') CQ scheme, any set of size greater than k can share a secret key with D. Any set of size less than k' cannot. But 
in between, there is some particular sets that potentially can. In other words, by checking the fc-accessibility for two mutual 
unbiased bases, we guarantee that any subset of k players and more can share a secret key with D in any two of the q+1 mutual 
unbiased bases. Nevertheless, the fc'-privacy parameter may not be the same for each bases. And checking it for two does not 
imply anything for the others. Note that if the k' parameters are equal for any bases, than the graph state is (n, k, k') for QQ 
(and k' = n — k). The relevance of k' will be established according to the situation. 



